On Fri, Feb 15, 2002 at 01:17:15PM -0000, Chris Evans wrote: > What I see in auth.log is (consecutive lines): > Feb 14 23:19:29 www sshd[438]: Did not receive ident string from > xxx.yy.zzz.uu (actual number removed in case!) > I think that's an usuccessful attempt to log in, am I right?
Not exactly. It means that xxx.yy.zzz.uu attempted to initiate an ssh connection, but failed to properly identify the user running the client. A failed login attempt looks like: Feb 15 09:29:23 altima sshd[13760]: Failed password for esper from 127.0.0.1 port 4256 > Feb 14 23:49:32 www sshd[242]: Generating new 768 bit RSA key. > Feb 14 23:49:33 www sshd[242]: RSA key generation complete. > don't understand why sshd did that then, 30 minutes later That's normal activity. It protects against the key being compromised by, essentially, causing the old one to expire. > then the next lines are me testing what happens if I try to do > an illegal login: > Feb 15 07:36:08 www su[1154]: + ??? root-www-data > Feb 15 07:36:08 www PAM_unix[1154]: (su) session opened for user www- > data by (uid=0) > which looks alarming but I was slung out by shell being > /usr/bin/false or by fact I didn't give right password It was the shell that did it. If you had given the wrong password, you would have seen something like: Feb 15 09:34:19 altima PAM_unix[13778]: authentication failure; esper(uid=1000) -> root for su service Feb 15 09:34:21 altima su[13778]: pam_authenticate: Authentication failure Feb 15 09:34:21 altima su[13778]: - pts/3 esper-root Note the + for successful auth, - for failed. > Feb 15 07:55:52 www sshd[1375]: Accepted password for xxxxxxx from > zzz.zzz.zzz.zzz port yyyy > > That last line seems to be the logging of a successful login and it's > very reassuringly different from the one from someone else, from an > outside IP address. Yep. > I'm also under the impression that sshd generates new keys when > restarted and at intervals, does anyone know if that is right? Correct. That's what the "RSA key generation" lines you asked about were from. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss
